Add support for canceling authorization requests without authorizing sites #1491
Conversation
|
I use extension-base as a dependency so was missing this functionality. I wasn't sure if it was the intended behavior that the polkadot-js extension should always add the url to the authorized list or not. Happy to adding a button if you want it. |
|
I see. I think we've been back and forth with this functionality. As in the older version (the one live forever that hadn't been updated in 2 years) did add the website to the list. I changed this when adding account selection because I thought it made sense, but feedback showed the behavior wasn't welcome, pinging users over and over and I believe Talisman was behaving differently.. so I reverted. I'd say let's keep it as is then, bc I haven't heard of anyone complaining about this for a while, and an additional button may be confusing |
There was a problem hiding this comment.
This is not changing anything to the currently live version.
The only thing I'm worried about is that when changes are made to the code of this lib, we're not taking implementations other than pjs-extension into account, since I don't think it's aimed at being a lib used by the outside world 🤷
I think the main issue with site pinging people over and over again is caused by many dApp implementation using For that reason we don't use the |
|
it's still possible to go get all the extensions injected, and only enable the ones the user want. Dot-connect does this well with papi, but it was possible before (it needs a custom logic and |
|
I just took a look at both Talisman and Subwallet to see what their approach to rejecting and canceling is.
In general I prefer SubWallets approach. They also check the URL and key for authorization when a sign request is received which is missing from the polkadot extension. My concern with simply adding a URL to the authorized list with 0 authorized keys is that in theory a site that is somehow aware of keys in the wallet can still initiate a signing request for a unconnected key. I prefer to not give a potentially malicious site any chance for causing confusion by not marking it as authorized so feel the cancel option in this PR is more defensive. |
|
Verifying that the key is authorized before signing is for sure welcome, but that's a different topic. As for the rest and more buttons I don't have a strong opinion, if you feel like adding a Cancel button back, I'd personally be ok with it despite the slightly more confusing design |
F-OBrien
force-pushed
the
cancel-auth
branch
from
9aff585 to
74042e9
Compare
|
@Tbaut I changed the implementation slightly but it does the same thing. I also added a button to the UI along with a check box. After battling with CSS (which I still hate) the checkbox and note should always remain visible or at least show a scroll bar now unlike the previous reject text that was always off the screen for me on windows with chrome I also added pagination for multiple connection requests rather than rendering them all on top of each other with only an option to action the first one. |
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
PR #1453 added the ability to reject an authorization request, which is valuable as it throws an error that can be handled by the request originator. However, the current behavior still adds the site to the list of authorized sites, which may not always be desired.
This PR adds a new message handler
pri(authorize.cancel)that:pri(authorize.delete.request))= Does NOT add the URL to the list of authorized sites
The key difference is that users can now completely cancel an authorization attempt without having the site appear in their authorized sites list. The site will also prompt for authorization again for future attempts to connect the extension.